CONFIDENTIAL — Shared under mutual NDA. Do not distribute outside your organization.
Incident Response Policy
CloudFive · Effective: June 2026 · Owner: Todd Densmore · Review: Annual
1. Purpose
This policy defines how CloudFive detects, responds to, and recovers from security incidents affecting client data
or CloudFive systems. The goal is to minimize impact, restore operations quickly, and improve defenses after every incident.
2. What Constitutes an Incident
- Unauthorized access to CloudFive or client systems
- Data breach or suspected exfiltration of client data
- Malware or ransomware on CloudFive endpoints
- Credential compromise (phishing, account takeover)
- Availability disruption to client-facing infrastructure
- Accidental exposure of sensitive data (misconfigured S3 bucket, leaked key)
3. Incident Severity
- P1 — Critical: Active breach, confirmed data exfiltration, ransomware. Response time: immediate (within 1 hour).
- P2 — High: Suspected breach, credential compromise, significant availability loss. Response: within 4 hours.
- P3 — Medium: Anomalous activity, potential exposure, minor availability event. Response: within 24 hours.
- P4 — Low: Policy violation, failed intrusion attempt, informational alert. Response: within 5 business days.
4. Response Phases
Phase 1 — Detection & Triage
Identify the incident through monitoring alerts (AWS GuardDuty, CloudTrail anomalies, endpoint alerts) or external report.
Assess severity. Assign P-level. Begin incident log.
Phase 2 — Containment
Isolate affected systems (revoke credentials, quarantine EC2 instances, disable compromised accounts).
Preserve evidence (snapshot affected systems before remediation). Stop the bleeding before fixing the root cause.
Phase 3 — Eradication
Remove threat (malware, backdoors, unauthorized access). Rotate all potentially exposed credentials.
Review access logs to identify full scope. Patch exploited vulnerability.
Phase 4 — Recovery
Restore systems from clean backups where needed. Verify integrity before returning to production.
Re-enable services. Monitor closely for 48 hours post-recovery.
Phase 5 — Post-Mortem
Conduct blameless post-mortem within 5 business days. Document: timeline, root cause, impact, response actions,
and prevention measures. Share relevant portions with affected clients.
5. Client Notification
- P1/P2 incidents affecting client data: Initial notification within 72 hours of confirmation.
- Notification includes: nature of incident, data affected, containment status, next steps.
- Follow-up full incident report provided within 14 days.
- CloudFive will cooperate fully with client forensic investigations.
6. Contact During an Incident
Primary: Todd Densmore — todd@cloudfive.net
To report a suspected incident: email with subject line [SECURITY INCIDENT].
7. Tools & Resources
- AWS GuardDuty — threat detection
- AWS CloudTrail — API activity logs
- AWS Config — configuration compliance
- 1Password — credential management and rotation